Security and identity as a service, and how Apple could lead the way

As rumors keep swirling about the finger print scanner Apple will be introducing with the iPhone 5s, the subjects of mobile security and identity keep getting raised. Passwords are an absolute pain in the ass on mobile, and identity is a problem that not only hasn't been solved, but that some companies either lack interest in solving, or lack the trust necessary for us to want them to solve. Industry analyst Ben Bajarin - listen to him on the latest Vector podcast - think that leaves the door wide open for Apple. From Tech.pinions:

Security as a service could become a key differentiator for Apple products and a driving reason to choose Apple products over others. But even more interestingly, their competition (Google) doesn't care about security. It is a battle field their core perceived competitor has no interest in playing on. And that makes it all the more important.

It's important to distinguish between different meanings of the term "security". This isn't privacy protection on a governmental scale. Sadly, it doesn't look like any of the major players, Apple included, is willing or able to stand up to governments - legally, illegally, or questionably - demanding access to our communications and other data. (See the ongoing NSA scandal).

This is perhaps better termed authentication or identity as a service, where a mobile device ascertains with a certain standardized degree of certainty that we are who we say we are, and that's used to allow us access the device, and to our login systems, like iCloud keychain, payment systems like a future version of Passbook, and to other services linked to the chain.

It could be a huge business for anyone who can provide a sane, simple solution. Which are both among Apple's traditional strengths.

Reader comments

Security and identity as a service, and how Apple could lead the way

Wow Rene, I think this article is going way out of hand. I think the fingerprint scanner would be a good way for the gov't to get fingerprints from people. It's neat but it's also 1 more way to get stuff from the people really easy. What do you think?

I'll definitely agree with you about Apple not always necessarily being first with new technologies or software.

But, as for the trolling... Uh, I actually never feel the need to troll iSites ~ most of us use news aggregators with keywords such as "Android" so, when I saw the title of your article, I felt the need to read about Apple's latest "new" feature and thought it odd there's never [ever] any mention about Motorola ever implementing the fingerprint scan on one of their older devices.

Anyway, no trolling here, I hope my comment didn't give you that impression. I simply wanted to inform the many iFollowers here thatApple wwasn't the first to have this feature.

The difference is that Apple has the name branding and brand recognition to bring it mainstream, especially if they advertise it from the point of view of security alongside convenience. Call it luck or timing, but with all the NSA info stealing, Chrome password encryption, and media/government attention to phone theft going but Apple may have timed this just right.

Sadly, for Motorola, no one cared at the time or saw the security benefits of what they were trying to bring to the table. I hate it too because Motorola was always at the top of the heap on push to talk technologies that lost their way because the networks they partnered with refused to grow. Combining PTT, and a convenience/security feature like a fingerprint scanner, and developing their own hybrid version of the Android OS with more security features could have put them in the heart of enterprise sales and service.

Come on Rene, Oletros made a serious comment. You didn't backup your "google doesn't care about security" with any data as to how you came to support this statement.

You changed the article to be more about accessing a phone, I get that. All Android phones have the choice between passcodes or designs to enter. And they even made it better by dragging the unlock pic to an app to auto launch that app. It took years just to get Apple to let us launch the camera app faster. Please elaborate.

Ugh, Rene, Come on. "Security as a service, with Apple leading the way"? Seriously? By "supposedly" putting a finger print scanner on the phone that's leading the way? Where was this op-ed when Google put out Face Recognition?

"Passwords are an absolute pain in the ass on mobile"? Just how lazy are you, Rene? Pressing 4 buttons to get into your phone are really that traumatizing for you? Hit the gym man, sounds like you could do with a little working out if typing in your pw is that much of a pain in the ass.

"But even more interestingly, their competition (Google) doesn’t care about security. It is a battle field their core perceived competitor has no interest in playing on. And that makes it all the more important." Yeah, because, like another poster above pointed out, Google didn't JUST encrypt all Cloud storage moving forward.

"Given everything from the NSA controversy" Last time I checked, no one has been more vocal than Google about demanding the right to share with the public just what information they shared. Sounds like what they gave out wasn't so bad and they want the American people to know it so they stop getting flamed by the press and iMore.

"Passwords are an absolute pain in the ass on mobile"? Just how lazy are you, Rene? Pressing 4 buttons to get into your phone are really that traumatizing for you? Hit the gym man, sounds like you could do with a little working out if typing in your pw is that much of a pain in the ass :P

Is that better BB? It was just teasing, I know Rene isn't getting gassed logging into his iPhone.

So now, teasing you, means I'm not classy? I really don't think typing a passcode on your phone is gassing you or making you break a sweat. Lighten up Rene, I know you get trolled a lot here, and I know I'm VERY direct on this site, but at this point I'd hope you'd know I'm not intentionally hurtful.

And you keep saying PW's are a huge problem but don't back it up by saying why or how. Please elaborate, why are they a huge problem? Everyone I know, iOS and Android use alike, uses a pw to unlock their phone and I've never once heard anyone complain about it. It's like complaining that you have to unlock your car door. "GAWD!!! I have to unlock my car door AGAIN!? I just unlocked it 12 hours ago! And it's parked in MY DRIVEWAY!!! The travesty!"

But then you switched your argument just now and say "computers". Are we talking about computers or are we talking about smartphones. Symantics aside, I'm the only person I know locking my computer with a PW, while, like I said, everyone I know uses one on their smartphone.

"Your teasing, sadly, is systematic of a widespread problem in technology." OK, how about this. You try not to carry baggage from trolls when reading my comments, and I'll tone it down and throw in a lot more :)'s and :P's, so the trolls will know I'm kidding and won't feel emboldened to be douchy to you? Deal?

"Are you aware of the percentage of users who use passcodes vs. those who don't? Those who backup vs. those who don't?" I don't, in another space I asked you to poll it, I think it would be a great thing to ask. I've never once been polled on the subject. BUT, every single person I know who uses a smartphone uses a passcode so I'm not the best person to ask.

"iCloud backup and Time Machine are attempts to mainstream backup. Apple is likewise attempting to mainstream authentication.

John Siracusa did a great job explaining the the incorrectness of your line of thinking on the last ATP podcast, it's worth a listen."
I can't tell if these two thoughts were connected? Please elaborate on what you're referencing, not sure what you mean by "your line of thinking."

Automatic vs. manual. People in Europe make fun of people who drive automatic, they say only handicap people drive automatics. I prefer manual, so much more fun to drive.

"Technology's job is to make things easier for people. There's no room for elitism." Please don't talk to me like I'm other people. I know the job of technology :P

I get the impression you think I don't like the finger print scanner. Let me go on record, I could care less. I use a finger print scanner at work and it SUCKS!!! I have to try to clock in 2-4 times a day before it takes. But if Apple has it locked down, I'm fine with it. I'd much prefer quick reply for text messages over a finger print scanner though :P

I think this is the point that is not highlighted enough in both tech and non-tech venues. Security is optional in most instances and when it is required the minimum threshold is generally useless.

Getting security right on the web and with hardware is difficult even for those who live in technology; it is abstruse, tedious and frustrating for everyone else.

If Apple, or anyone, could create a foundation upon which a higher standard of security is both mandatory and simple (just works), and then integrate that with existing hardware and services, then it will give them an enormous marketing advantage over those that once again are playing catchup.

I think the key thing here will be in proving that simple can be effective. People already do simple....PW = "password123"

Defensive? It doesn't exist. I'm calling him out for using a hypothetical security device. Everyone thought the new LG was going to have a finger-print sensor and it turned out to be the new volume rocker button. I love tech, butI love facts even more.

I know I give you a lot of shit (read: tough love), especially on your op-eds, but the one thing I respect the most about you and the site, and what keeps me coming back after screaming at you through my monitor after said op-eds (:P), is the fact that you don't jump on rumors.

Still, I prefer not to debate hypotheticals. I know finger print scanners exist, but until an iPhone with it is on the market, I'd rather debate other things, no offense.

Passwords can be hacked, especially a four digit numeric password which could be hacked in just a matter of moments by even a half ass hacker. Not to mention someone simply looking over your shoulder. A fingerprint is next to impossible to replicate with out some serious tech. Not to mention the convenience of a quick swipe accessing your phone.

I don't think that's Google MO. I think they are very upfront with how they are using our data if we use their free services. I personally don't have a problem with it because their own browser allows you to turn off the adds in Gmail, I don't get ANY spam from my gmail account addresses, and I don't get unsolicited spam sent to my house. So it doesn't really effect me so far. It's not like there's some guy at Google creating a data base of all our information and reading our most deepest darkest secrets. It's a computer looking at 1's and 0's to try to make our lives easier, whether it's working or not, is up to you. I use an Outlook.com email and emails from my own server and personal sites, but I forward everything to Gmail because I think it's the best, most intuitive email service around so far.

Read that PDF, Adem Reka, posted. It's pretty eye opening, if true, at just how little Apple cares for your personal information on your iPhone. It's funny, because Google, just today, changed the terms of service in the Play Store to make it even harder for apps to get your phones info.

You didn't link the article, unless you meant Barjarin's? If you meant Barjarin, I don't like to debate someone about someone else's "opinion". It's too hard because we're not basing anything on facts, but...wait for it...someone else's opinion.

And I think you are 100% wrong if you think most people aren't using a passcode on their smartphones. But it's a waste to debate it. Why don't you guys throw up a survey about it, I think it would be great so we can have a reasonable debate about it. I know the people who go to this site, aren't always the "average" iPhone user, but I think it would give us more to go on when we are on opposite sides of the coin on this.

As to your other points, we're talking on a couple threads, so read my other responses to them and we can move forward from this point, hopefully with you knowing Im' not trying to hurt your feelings. I'll try to put in more :)'s and more :P so you know I'm kidding. It's a tech site, not a march on Washington, let's try to be able to joke around a little.

Only one I could find said slightly over half don't use pass codes and that was done in 2011.

Honestly, if someone tells me that using a pass code is too cumbersome for them, I'll ask them where they park their car. Lazy people deserve to have their shit stolen. I know that's harsh, but it's such a stupid American response, when the rest of the world is doing all they can to protect their lives. Sure in a perfecrt world, no one would steal, and Antelope would be able to kick a Lion's ass and not get eaten by it. American's complain about data not being secure from the NSA and then don't take basic precautions like using a 4 digit passcode.../facepalm.

And before you say it, it's not other people's responsibility to use technology to allow people to be lazier and dumber. The job of technology is to allow us to use our brains for higher functions and be smarter.

Point is, It sucks to have your data given to the gov't. Pics, Vids, Text, Call, etc. I personally don't like people knowing all my info. Even if i'm not doing anything bad. Any comments would be great.

I think Apple care much more at user experience than security. However icloud keychain is a good step in the right direction. As for google "doesn't care about security" put your fanboy glasses off. Android and Ios are the same at stealing data:

Report Highlights
The vast majority of free apps send and receive data to outside parties without encryption.
96% of total apps share data with advertising networks and/or analytics companies.
79% of the top 50 free iOS and Android apps are associated with risky behaviors or privacy issues. Overall, iOS
apps exhibited more risky behaviors than Android apps.
Entertainment apps were the worst offenders out of the top five categories, with the highest number of apps
that track for location and share data with advertising networks and/or analytics companies.
While 14% of iOS apps had access to a user’s calendar, none of the Android apps had similar access.
More than half of the total apps track for location by accessing the device GPS or using other location tracking
methods.
More than 80% of apps across categories come from different unique, individual developers.

New research from BitDefender shows that applications for Apple iOS and Google Android may have their digital eyes and hands on more user data than you think.

Using their Clueful app, researchers at BitDefender examined how apps for Android and Apple's iOS treated private data, such as location information and contact lists. What they found may seem startling -- of the 207,843 free applications for iOS, 45.41 percent have location-tracking capabilities, whether they used them or not. Of the 314,474 free applications for Android, the percentage was 34.55.

When it comes to having the ability to read contact lists, the numbers were 7.69 percent for Android and 18.92 percent for apps designed for iOS. An iOS app called "3D Badminton II" (v. 2.026), for example, reads contacts' emails and sends them to a server in Hong Kong.

"Among the most interesting pieces of information for an advertising network are e-mail addresses and unique device IDs/IMEI," according to the report. "This data also may be shared with third parties to, for example, send consumers behaviorally targeted advertisements, according to a recent Federal Trade Commission report."

"About 14.58% of the Android applications may leak your Device ID and 5.73% of the total number of apps may leak your e-mail," the researchers note. "Again, iOS applications appear to be more focused on harvesting private data than those designed for Android."

Some examples for iOS include Ringtone Maker version 1.7, which sends the device ID to "adfonic.net," and 'aradise Island: Exotic (v. 1.3.14), which sends the device ID to a number of third-party websites. Meanwhile, an Android app called Logo Quiz Car Choices (v. 1.8.2.9) shares email addresses, the researchers found.

"Most people do not pay attention to the permissions required by the application they are about to install for a variety of reasons," observes Bogdan Botezatu, senior e-threat analyst at BitDefender. "They may not realize that those permissions are important in any way for the security of their device. They may not understand what each permission means and how it impacts the security of the terminal, or may not have other options but to accept the permissions if they want that application to run on their device. This is actually one of the most important shortcomings of Android -- the fixed permission model that asks you to go all in with the permissions or else you're not going to be able to run that application."

Android security has been in the spotlight during the past few days, as vendor Bluebox Security announced plans to release details of a serious Android vulnerability exploit at the upcoming Black Hat security conference in Las Vegas. According to Bluebox Security, the vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, enabling a bad actor to modify APK code without breaking the cryptographic signature. The vulnerability only comes into play, however, in the case of applications downloaded from third-party app markets.

"Although this loophole has been present in Android devices since 2009 and is yet to be exploited by cyberthieves, the 'master key' is a major concern for consumers and also businesses, which are increasingly reliant on mobile devices for work and, moreover, accessing company data," says Grayson Milbourne, security intelligence director at Webroot. "An attacker being able to steal data or eavesdrop on calls or emails is clearly a major problem."

Judging by the extremely small number of malware incidents in the past years, most people would probably consider iOS much safer than Android, says Botezatu. However, this does not appear to be the case when it comes to privacy issues.

"We have two distinct operating systems that work differently and are built differently, and, yet, they attempt to get to the same kind of user information, as long as access to it is permitted by the application market," he says.

Google is bad on security just like Apple. Both are getting better but i feel Blackberry is still the most secure. Plus, Blackberry is owned by a Canadian Company so i don't have to deal with all the NSA stuff. Any opinions or thought?

thinking like this "But even more interestingly, their competition (Google) doesn’t care about security." is why analysts get mocked as being idiots. This guy is just the latest addition to the cesspool.

Your inability to generate a meaningful reply aside from "you're failing to read" isn't really helping your case. It's sad that you felt the need to spread such ignorance when you really should be taking guys like this out to bjj mat, but then again you also think "Find my Phone" has something to do with security and/or authentication.

Most people don't read, they just want point out someone else is wrong on the internet. It's sad and devalues comments. Hopefully people will invest a few minutes to raise the bar and increase the value of the discussion.

Uh oh Rene, lol you called out Google! Prepare to be besmirched by trolls! But seriously, I wasn't going to upgrade to the 5s but a finger print scanner may actually have me sold because I have a lot of sensitive info in my phone from personal finances to access to some work files. We will see.

Please don't troll here. You'll get removed. Make it personal, you'll get banned. Last warning.

Also, I'm not a conspiracy theorist, and I don't think this applies to Google alone (all major tech companies). But before you defend Google - and notice I'm at no point defending Apple when it comes to privacy - give this a read:

I would also point out that security has not been a major concern for Google. Their whole issue is to catalogue the world's information and make money off of it. Not to mention, it was only a couple of weeks ago that all the media fall out occurred because "everyone" suddenly realized that Chrome doesn't encrypt passwords. Google blew the whole thing off as not an issue and therefore will not fix it.

I hear you and I with you. A feature war would mean better security and hopefully more convenient security for us, the consumer. I just knew that because you even mentioned Google or quoted someone else who has mentioned Google would bring the fall out, hence @richard451 's and @Trappiste 's comments below.